It appears that you're running an Ad-Blocker. This site is monetized by Advertising and by User Donations; we ask that if you find this site helpful that you whitelist us in your Ad-Blocker, or make a Donation to help aid in operating costs.

The only frickin possible way for a program to run entirely in and from memory is if you have a RAM disk. RAM disks are virtual "harddrives" which take a chunk of your REAL memory for use. In that case, just copy the file from your RAM disk to your hard disk.

Since this is NOT your case - cause RAM disks haven't been used really since the reign of DOS - you just don't know what you're talking about. In the EXTREMELY UNLIKELY possibility that you can even do that, there is no way to save the file to disk unless that program gives you the option to do this. Even when a program is run from the disk - the entire thing isn't stored into memory. It's not about a file being put in memory, it's about various modules of code within that file being loaded and unloaded.

Actualy SR my Brother in law has a job doing high end vide editing. He told me of a 40 gig ram hard drive that some vendor is trying to get them to but... It can act at a HD but more importantly you have 40 FUCKING GIGS of RAM

Originally posted by Gizmo:Please register a nickname before you post. To the moderator who turned everyone on in the control pannel, I will be removing BOTH curse AND defcon the next time this happens.

I have registered. You can call me anonymous, like in my sig. And what do you mean by "I will be removing BOTH curse AND defcon the next time this happens"? EDIT: My mistake, you mean the moderators. Please don't remove them, they have done nothing. I am a registered user. (number 269.)

Quote:

The only frickin possible way for a program to run entirely in and from memory is if you have a RAM disk. RAM disks are virtual "harddrives" which take a chunk of your REAL memory for use. In that case, just copy the file from your RAM disk to your hard disk.

I don't think so. Some programs you can run off the hard drive, and then delete. This doesn't alter the functionality of the program so it must all be there running in memory so there should be a way to save it.

I still don't think you know what's really going on. But I'll humor you and ask for more info. Do you have a good task monitor? I recommend TaskInfo2002 which you can download from download.com. Get that, run it, look for your phantom process in it - and tell me what it says the cmd line is. This should be at least the path of the executeable.

And no there's no way you can save it from RAM unless the program itself gave you that option. It is possible, but the required tools do not exist, and it may not be something a tool can do. You'd have to write a program to specifically save that program. Also, the technique you refer to in having it execute and delete itself - isn't useful and therefor I don't see why anybody would do it. Rebooting the computer would cease its existance.

Originally posted by SilentRage:I still don't think you know what's really going on. But I'll humor you and ask for more info. Do you have a good task monitor? I recommend TaskInfo2002 which you can download from download.com. Get that, run it, look for your phantom process in it - and tell me what it says the cmd line is. This should be at least the path of the executeable.

I usually use process explorer by sysinternals, but I'll check it out.

Quote:

And no there's no way you can save it from RAM unless the program itself gave you that option. It is possible, but the required tools do not exist, and it may not be something a tool can do. You'd have to write a program to specifically save that program.

So I could write a program to do it then right? Are you sure you couldn't write a program that could save any program in RAM?

Quote:

Also, the technique you refer to in having it execute and delete itself - isn't useful and therefor I don't see why anybody would do it. Rebooting the computer would cease its existance.

I meant, if you have a program on your computer and you run it, then delete the program, can you save it from the RAM in which it's running in any way? Thanks for your patience.

I'm familiar with the sysinternals process explorer - while I'm a big fan of sysinternals... TaskInfo2002 kicks all ass.

"Are you sure you couldn't write a program that could save any program in RAM?"

Ah, what a difficult question. I wish I knew more about how programs are executed, but I'll speak from heresay. The technique you describe may involve the program sticking it's entire file into some chunk of memory. And from that memory, it will load various modules as needed. All programs have their virtual address space (literal address space is swapped in and out just like process code for the processor to enable multi-tasking) in memory to run in, and it may not be contiguous - nor ordered in any consistent fashion. So the trick is to hope that the file IS stored in a contiguous fashion in memory (or using some means of keeping track of the order of file chunks) for dumping to file. The location of the file's memory location may be determined in the program's own code. This is why it may not be possible to save just any ole program running in memory. You'd have to know the program code itself. You can probably find and copy the program's address space and stack to file using the process handle, but anything else is program-specific.

Erm, if somebody knew more than I did on the subject, they could probably point out a few things where I'm mistaken, but I hope to at least show you how difficult this undertaking would be.

But anyway, here we speak about programming theory. I'd like to know what TaskInfo2002 has to say about your phantom process.

Phantom process? ...Oh, this is only theoretical. I don't have a "phantom process" actually running, I was just wondering if it could be done. I didn't see what you meant when you suggested taskinfo for some reason. Thanks anyway though, I like it!

About what you said:

Quote:

The location of the file's memory location may be determined in the program's own code. This is why it may not be possible to save just any ole program running in memory. You'd have to know the program code itself. You can probably find and copy the program's address space and stack to file using the process handle, but anything else is program-specific.

I don't see why that should be a problem. There are dissasemblers that work by running the code (sort of) I guess in a "sandbox" environment, so you should be able to write a program that goes through the code of the program looking for all the parts that load other modules, etc. and put it back in sequence, and then save it.Essentially, if the CPU can follow the code through and have no problem running every part of the program, then another program should be able to go through every part of the program and save it sequentially the way it must have been originally (an exe or whatever). Do you see what I mean? I think it can be done.

well, if some delete-happy fricker would stop deleting posts I might be able to read what you said before to get a better idea what you were talking about.

But anyway... *grumble*... yes, you can run a dissassembler and do exactly as you said. But the fact remains - it's NOT useful! NO program out there runs and deletes itself! This is what they do instead:

* Place Program1 on your desktop, and execute it.* Program1 copies itself to another location and names itself Program2* Program1 then terminates* Program2 then deletes Program1 and may continue running

(to hide oneself from task monitors you may execute your program in another program's address space - I have no idea how this is done - but it has been)

From the user's point of view, the program is running and had deleted itself - but that is not the case. Windows will not allow this cause IT DOES NOT WORK THAT WAY!!! It's infuriating cause I'm one to believe that nothing is impossible, but that is so against how everything is setup. Windows is what passes the program code to the processor. Windows is what juggles all the running processes around in the processor and memory - giving each program a certain priority level in how often it's code is run in that processor. Windows is in control, and all programs must adhere to its rules or it won't work! This is how all operating systems work. For a program to rest control away from windows and to run completely on its own and only FROM memory... I just don't see the point. Until I see how this can be useful - and possible - I refuse to consider for another moment that this can be done.

Originally posted by SilentRage:yes, you can run a dissassembler and do exactly as you said. But the fact remains - it's NOT useful! NO program out there runs and deletes itself! This is what they do instead...

I know what they do. I'm not stupid. And actually it could be useful. What if you ran a program then deleted it, and decided you wanted it back? If it was still running you could use this theoretical utility to recover it.

Quote:

(to hide oneself from task monitors you may execute your program in another program's address space - I have no idea how this is done - but it has been)

Now THAT's interesting. I was wondering about this before, trying to think of a way to hide a program even from a task monitor, and thought of doing that. But I couldn't think of exactly how it would be done either...yet. Oh, and you say it HAS been done. Can you tell me how you know? Maybe post a link or something?

Quote:

For a program to rest control away from windows and to run completely on its own and only FROM memory... I just don't see the point.

You don't see the point? If a program could run with the same amount of power as the OS (or greater) say, by interecepting the system hooks, then it could do anything! you could take control over windows " title="" src="graemlins/devil.gif" /> But I don't see why it couldn't be run within windows.

Quote:

Until I see how this can be useful - and possible - I refuse to consider for another moment that this can be done.

See above.

Quote:

So, you can't make that utility cause it would have no purpose.

I'm sorry, but that statement is just funny. You cannot do it because there is no reason to?! Ever heard of logic?...Forgive me, maybe I misunderstood what you meant. I'll give you a chance to explain.

"What if you ran a program then deleted it, and decided you wanted it back?"

Since windows is in control, and it has a certain way of doing things, it won't let files be deleted unless the program is first terminated. So 1: you can't delete a running program - 2: if you did delete a program - then it's not running in memory. If you try to delete the program by executing low-level instructions meant straight for the harddrive - then you run the risk of crashing windows - or at least that program.

"Oh, and you say it HAS been done. Can you tell me how you know?"

I have discussed this topic with a very knowledgeable person and he told me it has been done. He said the BackOrifice 2000 code does this. This code is freely available on the internet. I have a copy if you can't find it.

"For a program to rest control away from windows and to run completely on its own and only FROM memory... I just don't see the point."

I did not mean that remark at face value. I don't see the point of doing all that just to be able to run from memory. It's overkill - and not worth it.

"So, you can't make that utility cause it would have no purpose."

Shall I make an example? Let's say you made a utility who's purpose is to erase a picture of an egg that some virus loves to draw to screen. Even though this virus can never be removed from the computer - unless you reformat - you can still lose no data if you run your utility that makes sure the egg is never drawn to screen. You make this utility very very smart, in how it analyzes the screen picture and filters for all egg pictures - AND hooks into various graphics API to look for telltale signs of a egg about to be drawn - and block it. Pretty powerful program no? Well, guess what. Nobody wants it. It has no purpose. There is no such thing as a program which draws eggs to the screen and cannot be removed except by reformatting. Good job son, here's a cookie.

This fits right into your theoretical utility that debugs another process looking for something that has never been done - cause nobody would want to do it anyway - cause it gains you nothing - and much better and easier and more possible and proven workable methods exist out there. And don't give me crap about - "what if it DOES happen?" - cause you cannot possibly predict all the methods a program may save itself into memory - all the techniques and formats this data may be represented in memory. Only AFTER it has been done may you make a utility which handles whatever technique they employed. THEN it will be useful - so THAT is why I don't want to know if you even can. The argument has no purpose and gains nothing.

Originally posted by SilentRage:Since windows is in control, and it has a certain way of doing things, it won't let files be deleted unless the program is first terminated. So 1: you can't delete a running program - 2: if you did delete a program - then it's not running in memory. If you try to delete the program by executing low-level instructions meant straight for the harddrive - then you run the risk of crashing windows - or at least that program.

Not true. I just tested it myself to make sure I was right. I copied a program, ran it, then while it was running, deleted the program from the location I ran it in. No problems.

Quote:

I have discussed this topic with a very knowledgeable person and he told me it has been done. He said the BackOrifice 2000 code does this. This code is freely available on the internet. I have a copy if you can't find it.

You have the source code? I'd be interested in looking at that. I could get the program and dissasemble it, but the assembly version wouldn't help me.

Quote:

Let's say you made a utility who's purpose is to erase a picture of an egg that some virus loves to draw to screen. Even though this virus can never be removed from the computer - unless you reformat - you can still lose no data if you run your utility that makes sure the egg is never drawn to screen. You make this utility very very smart, in how it analyzes the screen picture and filters for all egg pictures - AND hooks into various graphics API to look for telltale signs of a egg about to be drawn - and block it. Pretty powerful program no? Well, guess what. Nobody wants it. It has no purpose. There is no such thing as a program which draws eggs to the screen and cannot be removed except by reformatting. Good job son, here's a cookie.

*Sigh* You don't seem to understand. I just gave you a reason why this program could be useful. Your analogy doesn't apply. I NEVER said there was a program that runs and deletes itself. I said "what if you ran a program and deleted it yourself and wanted it back". Now you were saying it couldn't be done, but it can. I just did it a couple of minutes ago when I started this post.

Quote:

...you cannot possibly predict all the methods a program may save itself into memory - all the techniques and formats this data may be represented in memory. Only AFTER it has been done may you make a utility which handles whatever technique they employed. THEN it will be useful - so THAT is why I don't want to know if you even can. The argument has no purpose and gains nothing.

...When a program runs it gets loaded into a certain part of memory, just like every other program. The program can't alter this because it has to be loaded before it can even execute any commands to change that! Since it's done the same way for each program (except maybe the difference between DOS and Win32 apps. but it's just loaded to a different part of memory which can also be checked) the program should be able to detect each program that's been loaded and follow each instruction it executes and dissasemble it and compile the assembly language into a program and save it. Before you start your counter argument please check out this website . They made a very powerful program called digital cortex. Read what it can do.

ok, haven't read the site yet - took a peek though to see what you were talking about. But I figure my response to be simple enough that I won't need to yet.

I copied notepad.exe to C:\. Then I executed it. Then I tried to delete it and got this message:

Cannot delete NOTEPAD: Access is denied. The source file may be in use.

Alrighty, that was on Win2k. Now let's see what Win98 says:

Cannot delete notepad: The specified file may be in use by windows

Well Blimey! I do know what I was talking about! Please don't make me ask other people to do the exact same thing. Every one of them will get the same error messages.

So what program are you executing and deleting? Are you doing anything special like running Digital Cortex? And after you executed the program, then deleted it - what did TaskInfo2002 have to say about its cmdline?----Another note. Take a look at the memory usage of various programs. You're notice that some of them use less memory than the size of their executeable. Why is that? Cause the entire program may NOT be loaded into memory on execution! Are you a programmer? I am, and one trick that I do is not load modules during program startup - so that the program loads faster. Then during execution I may load other modules in the code as I need them. This is efficient on time and memory.

This is not debateable! Some things I said up there in previous posts I am not 100% sure on, but in all info presented in THIS post IS 100% correct, and don't you DARE tell me otherwise!

You CANNOT delete notepad.exe WHILE IT IS RUNNING! Not unless you use some miracle program which does some fancy shmancy shit. So if you ARE using some fancy program to delete a running program, please cut the crap and tell me!

---

P.S. I am smiling right now. Despite the way I speak, I do not feel frustration or any negative feelings. I am simply emphasizing points very strongly and doubting your intelligence .

Originally posted by SilentRage:ok, haven't read the site yet - took a peek though to see what you were talking about. But I figure my response to be simple enough that I won't need to yet.

OK then, take a look at the site. You may find some interesting stuff. Be sure to check out the whitepapers.

Quote:

I copied notepad.exe to C:\. Then I executed it. Then I tried to delete it and got this message:

Cannot delete NOTEPAD: Access is denied. The source file may be in use.

Alrighty, that was on Win2k. Now let's see what Win98 says:

Cannot delete notepad: The specified file may be in use by windows

Well Blimey! I do know what I was talking about! Please don't make me ask other people to do the exact same thing. Every one of them will get the same error messages.

Hmm. I copied command.com ran it, and deleted it. It was the first program I came across. I'll try another program...OK it didn't work. Why am I not surprised. After all, I have seen the error before.

Quote:

Another note. Take a look at the memory usage of various programs. You're notice that some of them use less memory than the size of their executeable. Why is that? Cause the entire program may NOT be loaded into memory on execution!

Why didn't I think of that before?! You should have said that sooner. Oh well.

Quote:

Are you a programmer?[quote]I'm working on it.[quote]You CANNOT delete notepad.exe WHILE IT IS RUNNING! Not unless you use some miracle program which does some fancy shmancy shit. So if you ARE using some fancy program to delete a running program, please cut the crap and tell me!

Nope, no fancy shmancy stuff. I just did it with a DOS program (oops).

Quote:

P.S. I am smiling right now. Despite the way I speak, I do not feel frustration or any negative feelings. I am simply emphasizing points very strongly and doubting your intelligence .

Well, I don't feel too bright right now, but I'm not stupid. I forgot that the program isn't always loaded entirely into memory. If it was I suppose it would be possible, but...yeah, you know what I mean.Well, thanks for helping me get this cleared up.

heh, look up at the very first post I made in this topic. I said THERE that the entire program is not loaded into memory. I guess I just have to remember to repeat myself.

and wow, check that out. I tried command.com and edit.com and both could be deleted after you execute them! coooooooool. I didn't know this before - but yeah, com files are completely different from exe files. They are run in the virtual DOS environment. I'm thinking that they ARE loaded completely into memory and run - and that's why you can delete it after you run it. Very nifty.

Hey buddy, we're both learning stuff here.

"Well, I don't feel too bright right now, but I'm not stupid."

Aaah, yes, finally got a bit of humility out of ya - and without completely debasing yourself, good. heh, I was kidding before - I am not doubting your intelligence. All I've got up on ya is more reading - more knowledge. You've got the right kind of mind to get far.

Heh, look up at the very first post I made in this topic. I said THERE that the entire program is not loaded into memory. I guess I just have to remember to repeat myself.

Oops, you did say it in your first post! I must have forgotten.

Quote:

Hey buddy, we're both learning stuff here.

Yeah. I just learned that the deleted posts in this thread are still viewable. When you go to post, scroll down. You can see the posts I made!

Quote:

Aaah, yes, finally got a bit of humility out of ya - and without completely debasing yourself, good. heh, I was kidding before - I am not doubting your intelligence. All I've got up on ya is more reading - more knowledge. You've got the right kind of mind to get far.

How old are ya anyway?

Thanks.Contrary to what someone said in a previous post in another one of my threads, I'm not a kid. I'm 20.

Yes, he thinks you're a lamer cause you made a null nick. All the arguing in the world will not change that and only make things worse. Just think to yourself that Gizmo needs to take a chill pill and move on...